Technological Ubiquity:
The Need for Consumer Privacy Protection
The Hong Kong Experience
Tony LAM, Acting Privacy Commissioner for Personal Data
Office of the Privacy Commissioner for Personal Data
Hong Kong SAR
Introduction
The marriage of computer and tele- transmitted over the network. The past great
communications technologies has created a new protectors of data privacy: cost, distance,
electronic networking environment on which incompatibility, etc., are all disappearing in this
business and services are delivered. Today, ubiquitous network of technologies.
anyone who has a connection to the Internet is
able to access easily an abundance of This paper examines the impact of technology
information that is made available online. No on personal data privacy and provides a brief
doubt, the technological advancement will account of the Hong Kong’s experience in
eventually transform the way many implementing consumer data privacy protection.
organizations operate and virtually every aspect
of our modern life. Privacy
The George Orwellian “Big Brother” metaphor I would like to begin by saying that in Chinese
has often been used to describe the relationship society the concept of privacy is relatively new,
of a ubiquitous technology society surveying the in particular, privacy relating to personal data is
activities of individuals by spying on chat rooms, a very new concept. In Chinese vocabulary, the
newsgroups and forums. Industry experts word for “privacy” connotes the notion of
observe that the ubiquitous network is going to secrecy or an aspect of the person that the
be further highlighted by the emergence of new individual would prefer to conceal.
services enabled by wireless broadband access.
The notion of Internet connectivity “any time”, Like many developed countries, Hong Kong
“anywhere” on “any device” is anticipated in faced obstacles in its pursuit of consumer
the near future. privacy protection. In the early days, the
importance of privacy was not a priority as
There is no absolute adversarial relationship government focused upon meeting the more
between technological advances and the basic needs of citizens, such as education and
protection of consumer privacy. However, housing. More specifically arguments were
technology makes it all easy to collect, store and voiced that business would become inefficient if
disseminate personal information. As more and privacy issues were allowed to get in the way.
more commerce and government services are Others commented that privacy compliance
delivered via the ubiquitous technology would be expensive and result in the imposition
network, vast quantities of personal data about of conditions that might create animosity in the
all of us will potentially be collected, stored and community.
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 1 of 6
Impact on Privacy advantages to business in cost reduction; assist
them in better shelving and store layout to
The ubiquitous network of information and promote sales of popular items. Innocuous as it
communications facilitates an affordable “cyber may seem, the technology does pose a threat of
marketplace” for businesses and consumers in intrusiveness to customers’ privacy. The RFID
different parts of the world. Businesses see tag, when linked with personal information such
significant economies in operating in the new as credit card payment data, can potentially be
electronic environment that has global reach, used to profile customers with tagged objects in
with the prospects of cost reductions and respect of their shopping patterns. It is well
enormous opportunities for growth. Similarly, known that RFID tags are highly durable and
for online consumers, the new environment difficult to destroy, so unless customers are
offers infinitely expanded buyer information, informed and/or have the choice to deactivate
competitive prices and a range of choices that the function, then surveillance goes hand glove
are daunting to comprehend. with the purchase of the tagged object.
However, in spite of these apparent benefits, the It is reasonable to conclude that technological
advent of the information and technology age convergence and the ubiquity of information
has also raised significant consumer protection and communications have, on the one hand,
issues. These issues represent new challenges brought considerable benefits in terms of
to businesses, governments and consumers; and product pricing and convenience. On the other
if not addressed, pose significant privacy risks hand it is equally clear that consumers see
and threats that may impact upon the trust and significant privacy risks in terms of the
confidence among E-business participants. management of personal data by online data
users. Not only are consumers concerned about
The growing concern of potential privacy sellers offering quality products and services,
intrusion by advanced technology can be they are also concerned about their ability to
illustrated by the recent developments in exercise control over the use of their personal
wireless communications and RFID. data.
Wireless communications offer many benefits Consumer Privacy Concerns
such as portability, flexibility and lower
installation cost. The rapid development of In today’s E-business environment, concerns
wireless and mobile communications, coupled over privacy emerge when an individual is
with the emergence of location-based devices, is requested to provide personal data, for example,
creating a new wireless environment that offers name, address, credit card number, etc. as part
the prospect of a wealth of services based on of an online transaction when he or she is
knowledge about the precise location of the user. dealing with a business partner over an open
An example is location-enabled emergency and unmanaged network such as the Internet.
service such as vehicle theft tracking. However, This occurs most obviously when individuals
location data, when used in conjunction with fill in online forms. In addition, there is often
other information of a person, may ascertain the “unseen” collection of data, including data
identity of the person and allow his or her where relating to the individual’s online movements
about to be tracked, any time and anywhere. within and between web sites. The data
While location data may offer consumers a collected from individuals may include sensitive
public safety protection in emergency situations, information, such as credit card details and, if
they are concerned about the privacy aggregated, can be used to track an individual’s
implications of such data falling into the wrong preferences and online activities. There is thus
hands. a risk that data could be intercepted during
transmission and that they could be used or
RFID technology used in retail business such as disclosed for unintended, unauthorized or
RFID tags on garments brings significant fraudulent purposes.
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 2 of 6
The issue of privacy concerns more than just the The issuing of a landmark set of Data Protection
security of personal data when the information Guidelines by the OECD in 1980 was implicit
is transmitted over open networks. It relates recognition of that. This initiative has, of
also to the collection, storage and use of the data, course, been further developed by the European
the right of the individual to determine when, Union, which, in 1995, issued a directive on the
how and to what extent others may share his or protection of individuals with regard to the
her personal information and the rights to processing of personal data and the free
request access to and correction of the data movement of such data. The purpose of issuing
concerned. There is also a general lack of the directive was to ensure that, unless there
transparency about what personal data are were adequate protection of personal data in
collected and how the collected data will be countries outside the European Union, trans-
used. border transfer of personal data could be
interfered with, if not suspended, between EU
Privacy concerns are consistently reflected in member states and third party countries.
consumer surveys conducted overseas and also
in Hong Kong. A survey conducted in May In 1994, the Hong Kong Law Reform
2003 by the IT practice group of a local firm Commission reviewed the status of privacy in
(Stephenson, Wong & Co. http://www.Sw- other jurisdictions. This review indicated that
hk.com) revealed that 83% of general Internet there were three macro approaches towards
users feel that limited personal data protection institutionalizing the protection of privacy.
restrains Hong Kong’s E-business development.
In the same survey, 86% of respondents felt that • Option 1 – Institute a statutory framework
E-privacy, or security problems, would dissuade with the establishment of an independent
them from making payments online. regulatory body.
Our own public surveys also revealed that • Option 2 – Create a statutory tort of invasion
consumers in Hong Kong placed privacy of privacy to permit civil proceedings.
protection ahead of quality of service, range of
choice and pricing when evaluating the • Option 3 – Rely upon self-regulation, e.g.
importance of factors that would affect a voluntary codes of practice and professional/
decision to purchase online. In our opinion industry watchdogs.
survey conducted in 2004, 62% of the
respondents (n=1051) expressed their concern Hong Kong adopted option 1 although the
of “misuse of personal data by third parties” approach taken also embraces elements of
when purchasing on the Internet. These option 2 and 3. The statute to protect privacy in
findings provide a good illustration of a relation to personal data is the Personal Data
commonly held perception, rightly or wrongly, (Privacy) Ordinance. Compliance with the
that there is a greater risk in buying online with privacy law is promoted and enforced by the
a credit card than buying in the physical Office of the Privacy Commissioner for
marketplace also using a credit card. This Personal Data (“the PCO”), which was
perception continues to prevail and in so doing established in August 1996. The statutory
acts as an obstacle to E-business thereby framework afforded by the privacy law ensures
frustrating its potential. the independence of the PCO as a regulatory
body, permits civil redress for any contravention
Addressing Privacy Concerns of the provisions of the law, and empowers the
Privacy Commissioner to promote self-
The combined effect brought about by the regulation through issuing codes of practice and
ubiquitous society of technologies and the move privacy guidelines.
towards a global economy has been to bring into
sharp focus the fact that the protection of The privacy law came into effect on 20
privacy has become a truly international activity. December 1996. The objective of the law is
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 3 of 6
obviously to protect the personal data privacy of facilitating the necessary changes. We regard
individuals. It also serves an important purpose continuous promotion as central to the creation
in contributing to Hong Kong’s continued of privacy awareness. In pursuit of our goal, we
economic well being by safeguarding the free adopted a strategic approach that aims to:
flow of personal data to Hong Kong from
restriction by countries that already have data • Promote a culture within the Hong Kong
protection laws. community that respects privacy.
Our privacy law applies to both the public and • Enhance awareness of privacy protection
private sectors and is based on internationally through co-working arrangements with
accepted data protection principles. It provides business, industry and professional bodies.
for statutory controls that address all the key
privacy concerns arising from the use of • Ensure privacy compliance through systemic
electronic networks by individuals such as improvements and a minimum of legal
transparency, security, limitations on use/ enforcement.
disclosure, rights of access and correction and
the right to opt-out from direct marketing • Develop an environment that offers a
approaches by data users. Accordingly, the balance between individual rights to privacy
PCO operates on the principle that “what is and other social, economic and public
unlawful offline is unlawful online”. interests.
Hong Kong’s Approach Policy on Good Privacy Practices
The privacy law was novel to the business Today’s practice of doing business focuses on
sector when it was introduced in Hong Kong. strengthening customer relationship that is built
In the early stages of implementation the signals on trust and confidence. Consumers are
we were receiving had an apprehension about becoming more concerned, more informed, and
them. This apprehension was derived from more demanding with regard to the protection of
established custom and practice around how we their privacy. Adopting privacy protection
do business in Hong Kong i.e. a laissez-faire practices makes good business sense as such
minimal interventionist economy. practices can effectively address their concerns.
We took notice of this apprehension because it The legal framework of the privacy law
was our belief, and remains so, that privacy law provides the ground rules governing data
can only operate effectively if it is understood privacy protection. Equally important though is
and accepted by business and the community the commitment of business and managers to
more generally. A priority task was, therefore, ensuring compliance with these rules. This
to raise privacy awareness in the community at requires conscious effort from all parties
large in which personal data privacy was both concerned.
understood and valued. We believed that this
could only be achieved through a “cultural If this is accepted, then privacy protection has to
shift” in the collective consciousness of the be established as a core value that connects
Hong Kong community. In practice, it meant organizational culture with the best interests of
implementing changes in business practices that consumers. The value can be viewed as an
require a data user to notify individuals of its important indicator of business success and
purposes of collecting data from them and to regarded by many as a way of differentiating
seek consent from the individual concerned for competing providers. A commitment to creating
any different purposes of use. this value means that all planning and
implementation activities must be aligned with
It takes time to effect this “cultural shift” and the vision of the future.
we see our effort playing a significant role in
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 4 of 6
Though essential, creating the value may seem a • Building trust and confidence. Where
rather obscure process. To make it more management succeeds in guaranteeing the
tangible it is necessary to encompass the value exactitude with which personal data is
of good privacy practices into the business E- managed it is likely that this will have a
Privacy policy. This requires an organization to corresponding effect upon the level of trust
inform consumers of its commitment to the and confidence expressed by customers and
protection of their personal data, and honour the other stakeholders. This can only be
responsibility that commitment place upon beneficial, especially in the world of online
management. The challenge then is for business transactions where privacy and
management to be able to “do what it says”. security protocols assume special
Anything that is over-promised or under- importance. Where the protection of
delivered is likely to be counter- productive. personal data is demonstrated to be
exemplary this will reflect upon corporate
The E-Privacy policy implementation should be reputations and brand equity that could boost
a process of deliberate and sustained growth by reinforcing loyalty and expanding
improvement that requires constant compliance the customer base.
assessment and monitoring. It needs to operate
in parallel with the conduct of a Privacy Impact • Gaining competitive advantage. The
Assessment (“PIA”). A PIA may be described logical extension to this benefit is that
as a systematic process that evaluates a businesses should be able to use a high level
proposed project initiative such as a strategic of demonstrated trust and confidence as the
public policy or technology option in terms of basis for differentiating themselves from
their impact upon privacy. In this context, a their rivals. Differentiation not only adds to
PIA should seek to identify actual or potential the value of brands and their positioning but
privacy issues associated with the initiative and also offers business an alternative means of
to examine the options available for mitigating seeking competitive advantage.
any risks that have been identified. To be
effective, a PIA needs to commence at the • Enhancing corporate governance. Today's
outset of the project planning rather than an business environment demands complete,
afterthought. The outcome of any PIA should accurate, timely and relevant information to
be measured against the influence it exerts upon make informed business decisions. The most
proposals and strategic decision-making. reliable source of information about a
Ultimately, the purpose is to ensure that customer is the customer. With accurate
decision-makers are cognizant of the privacy information about their customers,
dimension and work towards decisions that are businesses are able to effectively focus their
privacy enhancing. efforts, time and resources to respond to
customers’ demands for personalized and
The Hong Kong Experience customized services.
Questions have often been asked about the cost In Hong Kong, many business sectors and
of compliance with privacy protection and what companies, particularly those in the information
the pay-off of this investment is likely to be. business such as banks, telecommunications and
One answer to that question is that, as some insurance companies, have realized the need to
commentators have observed, it is not whether rise to the challenge and have voluntarily
companies can afford to adopt good privacy responded by introducing code of fair
practices, but rather a case of whether they can information practices or privacy policies. For
afford not to do so. Simply put, the choice is no them this was just part and parcel of being a
choice. I do not disagree with this observation. good corporate citizen and a professionally run
However, I would add to this with a more business that sought to accommodate new
positive review of the corporate pay-off from challenges rather than oppose them.
our business sector experience in Hong Kong:
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 5 of 6
Each year, the PCO conducts an annual that are to be derived from compliance with the
territory-wide opinion survey that maps public privacy law.
attitudes, and those of the business community,
towards the implementation of the privacy law. The 2004 opinion survey showed that over 80%
Over the past years, our annual opinion surveys of the responses either agreed, or strongly
have shown, on the one hand, increased agreed, that compliance with the law brought,
awareness in the community of privacy rights and continues to bring, long term benefits to
and, on the other hand, more and more business their business in terms of their public image,
organizations recognizing the long term benefits data management, and customer relation.
100
89.6
90 83.6 84.4
78.2 79.4
80
Percentage of responses
70 2000
60
50 2001
40
30
2004
20
10
0
public image of personal data customer employee accuracy of data
the orgainzation management relationship relationship records
Conclusion
Since the establishment of the PCO in 1996, we context of the collective rights of an enlightened
have managed to move from a state of low, or society. Therefore our strategy in the Hong
no, awareness in the community regarding Kong was to approach the issues with patience,
privacy rights to one in which those rights are relying on understanding, communication,
understood. In today’s economic environment, education, persuasion, conciliation, systemic
the issue of privacy protection has often been improvements and a minimum of legal
portrayed as anti-business and privacy laws as enforcement. In our implementation of the
restricting legitimate business activities. In privacy law, we are proud to say that we have
Hong Kong, we have demonstrated that this is been instrumental in developing an environment
not the case. that has made the “cultural shift” possible in our
society. Our privacy legal framework is like a
As we all know, the individual right to privacy seedling. The fruits it bears, if any, depend very
is not an absolute. Its protection, where much on the environment that is cultivated
relevant, has to be considered in the overall around it.
ITU Workshop on Ubiquitous Network Societies, 6-8 April 2005, Geneva, SWITZERLAND Page 6 of 6